With the Windows Server 2008 Event Viewer, a useful but neglected tool picks up a new interface and some useful features.

WEBINAR:On-Demand

When it's 2 a.m. and you get paged because a Windows server is not doing its job, one of the first places to look is the Event Viewer. The Event Viewer is a vital tool for any system administrator because it is the primary method for getting error messages from the operating system and many applications. It seems strange that a tool as important as this remained virtually unchanged from the NT days. With Server 2008 and Vista, the Event Viewer has gotten a much-needed face lift. The new interface includes the ability to execute a task based on a particular event, save custom filters, get more detailed logging and forward events from one server to another.

One of the most powerful additions to the new Vista/2008 Event Viewer is the ability to execute a task based on the occurrence of a particular event. The process is simple and straightforward:

Right-click on the event that you want to trigger on and choose Attach Task To This Event

Choose a name and description for the task >> Next

Choose whether you want to start a program, send an e-mail, or display a message when the event occurs >> Next

Configure the action you chose in step 4 >> Next >> Finish

Figure 1. Click for a larger image.

Once you have created a task for a particular event you can edit that task through the Task Scheduler. The tasks you create from the Event Viewer will show up in an Event Viewer Tasks folder in the Task Scheduler (see Figure 1). From here you can further customize the task by creating additional actions that should take place when a particular event occurs. You can also view the history tab to see how many times the task has been triggered.

The custom filters which are referred to as "Custom Views" in the new interface are a much needed improvement to the Event Viewer. When you configure an event filter for the pre Vista/2008 Event Viewer it only "remembers" the filter for that session. It is possible to create a custom MMC console that will save your filters, but you cannot save filters for more than one section (i.e. Application, Security or System) without additional custom MMC consoles. Follow these steps to create a Custom View:

Choose the appropriate filter criteria and be sure to select at least one "Event level" or your custom view will not show any events >> OK. See Figure 2 for a view of the custom filter screen.

Choose a name for your new filter. Note that you can create sub-folders to help organize your custom filters.

Figure 3. Click for a larger image.

See Figure 3 for a Custom View that displays only error messages.

Figure 4. Click for a larger image.

The new Event Viewer also provides a much deeper look into the innards of Windows by adding new types of events that go above and beyond the standard Application, Security, and System events. This new section is called Applications and Service Logs. By default this new section will show operational logs for day to day activities that you dont necessarily want cluttering up the main event log area. The operational logs are divided into sub-folders based on the type of service. See Figure 4 for an example of the Windows update client operational log.

The new Applications and Service Logs section can provide even more information, but you will have to enable it first. To enable the analytic and debug logs click on View and then Show Analytic and Debug Logs. After enabling this option you will see much more information appear in the Applications and Service Logs section of the Event Viewer. Its not advisable to leave this extra logging enabled when you are not troubleshooting an issue because it will fill up your log files with excessive entries.

Figure 5. Click for a larger image.

Another great addition to the Vista/2008 Event Viewer is the ability to forward events from one server or workstation to another. This is an impressive new feature that has the potential for all sorts of uses. One possibility would be to set up a server to collect the log info for all your Windows servers and workstations. You could combine this with the event-based task execution and have one central monitoring server that will e-mail system administrators for designated events. Follow these steps to forward events from one Vista/2008 machine to another (see Figure 5).

Run winrm quickconfig from a command prompt on all source machines. If you choose the Minimize Bandwidth or Minimize Latency delivery options then you will need to run this command on all destination machines as well.

Run wecutil qc from an elevated command prompt on destination machine(s).

Add the destination computer account to the local Administrators group on each of the source machines.

Check out the Microsoft help pages for more information on setting up event forwarding. There are some additional gotchas if you use the HTTPS option or specify a user account to retrieve the events. There are also additional steps that must take place if your computers are not in a domain.

People pay thousands of dollars for Microsoft's System Center Operations manager. With the Vista/2008 Event Viewer there is now a poor mans version. The new Event Viewer that comes with Vista and Server 2008 is a welcome improvement to the Windows OS and will no doubt make many lives much easier.

ryan@bass.name

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.

Thanks for your registration, follow us on our social networks to keep up-to-date